2.When
client points to master, pwdFailures are duly recorded and respected. Password
auth works as expected.

3.When
clients points to slave with chaining disabled, password auth and changes work
fine but obviously pwdFailures are not recorded anywhere - neither on slave or
master.

4.When
client points to slave with chaining enabled, password auth breaks meaning user
can type any string and still get a successful auth. Interestingly, in this
case, pwdFailures get recorded on slave and master.

Why or how a bind succeeds with a wrong password is
weird. With slapd.d type config, the chain directives go under
"frontendconfig" so I suspect the solution must lie there.

As a sidenote, I am thinking of doing without slaves and
just creating more primaries in multi-mode replication. Seems less complicated
in terms of configuration and maintenance.